1 / 47

What’s New in Fireware XTM v11.6

What’s New in Fireware XTM v11.6. Changes in Fireware XTM v11.6. WatchGuard Servers Schedule Tasks for Management Groups Compliance Reporting Automatic WebBlocker Database Updates Authentication Authentication Auto-Redirect to Host Name Authentication Portal Support for Mobile Devices

diedrick
Télécharger la présentation

What’s New in Fireware XTM v11.6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What’s New inFireware XTM v11.6

  2. Changes in Fireware XTM v11.6 • WatchGuard Servers • Schedule Tasks for Management Groups • Compliance Reporting • Automatic WebBlocker Database Updates • Authentication • Authentication Auto-Redirect to Host Name • Authentication Portal Support for Mobile Devices • Test LDAP or Active Directory Server Connection • Single Sign-On Support for Terminal Services • Configuration • Policy Manager Default View • XTM Configuration Report WatchGuard Training

  3. Changes in Fireware XTM v11.6 • Diagnostics • Policy Checker • Download a PCAP File in FSM Diagnostic Tasks • Proxies and ALGs • New Deny Message in the HTTP-Client and HTTP-Server Proxy Actions • More data sources for Reputation Enabled Defense • SIP-ALG Registration Expiration • Networking • Increased Maximum Number of VLANs • Wireless Hotspot Splash Screen Uses HTTP • Configurable Dynamic Routing Policies WatchGuard Training

  4. Changes in Fireware XTM v11.6 • Branch Office VPN • Inbound IPSec Pass-through • Improved VPN Phase 2 Key Expiration Settings • Branch Office VPN Diagnostics • Branch Office VPN Log Message Header • Help System Improvements • HTML5 and Improved Search • What’s New in This Release Topic WatchGuard Training

  5. WatchGuard Servers

  6. Schedule Tasks for Management Groups • From the right-click context menu, you can now schedule these tasks for Management Groups : • Schedule OS Update • Schedule Feature Key Synchronization • Schedule Reboot WatchGuard Training

  7. Compliance Reporting • New group of reports for compliance with HIPAA & PCI regulations • Reports included in this group: • Alarm Summary Report • Audit Trail • User Authentication Denied • Gateway AntiVirus Summary • Intrusion Prevention Service Summary • From WSC, schedule the Compliance Reports to generate. Select Report Server > Report Generation > Report Schedules. WatchGuard Training

  8. Compliance Reporting • Add a New Schedule that incudes the Compliance Reports you want to generate. • Schedule the Compliance Reportsto run once or recurrently. WatchGuard Training

  9. Compliance Reporting • Review Compliance Reports in Log and Report Manager. • Compliance Reports that have been generated for the selected device appear in the Available Reports list and on the Compliance tab. • You can pivot on the Compliance Report type (HIPAA or PCI) to update the data that appears in the report. • You can also export the displayed report details to a PDF file. WatchGuard Training

  10. Automatic WebBlocker Database Updates • The WebBlocker Server automatically updates the WebBlocker database every night at midnight, based on the local time on the WebBlocker Server. • The WebBlocker Server does not stop and restart during the update process. • The WebBlocker Server must be running at midnight for the update to occur. • There is no change to the WebBlocker Server management settings in WatchGuard Server Center. • You cannot change the update schedule or disable the automatic update. • You can still manually start a database update from WSC. • You can continue to use Windows Task Scheduler to run the “updatedb.bat” batch file, which is installed with WSM. • This does not disable the automatic update at midnight. WatchGuard Training

  11. Authentication

  12. Auto-Redirect to Host Name in Authentication Portal • Add a host name in the Authentication Portal page settings to redirect users from an IP address to a host name. • In Policy Manager, select Setup > Authentication Settings > Firewall Authentication. • In Fireware XTM Web UI, select Authentication > Settings. • Select the Automatically redirect users to the authentication page and the Redirect traffic sent to the IP address of the XTM device to this host name check boxes. • Specify the host name for the redirect. WatchGuard Training

  13. Authentication Portal Support for Mobile Devices • Users of mobile devices, such as smart phones, can now log in to the Authentication portal (over port 4100). • The Authentication portal page is now created in HTML, rather than XSLT, so smart phone browsers can load the page. WatchGuard Training

  14. Test Connection to AD & LDAP Servers • From Fireware XTM Web UI and CLI, you can test the connection to your currently configured Active Directory or LDAP server. • You must only specify the domain name for the server to test the connection. • You can also find the group information and authentication status for a user in your Active Directory server. • Specify the user’s credentials and the domain name that corresponds to the user account. • In Fireware XTM Web UI, test the authentication server connection from two places: • Select System Status > Server Connection. • On the Authentication Servers > LDAP page or the Authentication Servers > Active Directory page, click Test Connection .This redirects you to the System Status > Server Connection page. WatchGuard Training

  15. Test Connection to AD & LDAP Servers • On the Server Connection page, specify the Authentication Server to test, and the User Name and Password to use to test the connection. • Click Test Connection to find whether the XTM device can communicate with the authentication server, and to get group information for the specified user. • The Results sectionincludes the connectionstatus and user group details. WatchGuard Training

  16. Test Connection to AD & LDAP Servers • From the CLI, run this command:diagnose auth-user <username> <password> <auth domain> • CLI output example: WG#diagnose auth-user XTM Admin “readwrite" wgtraining.local --- ---User Authenticated Test Results --- Connect to server: OK connected to 192.168.54.61 Log in (bind): OK user XTM Admin@wgtraining.local authenticated ---Get group list--- Domain Users, SSLVPN-Users, Local-Admins, Unrestricted-internet, WG-mgmt-server-admins, Remote Operators, Users, Remote Desktop Users, Administrators WatchGuard Training

  17. Single Sign-On for Terminal Services • Terminal Services now supports Single Sign-On, so users do not have to manually authenticate to the authentication portal. • When a user logs in to the domain, the TO Agent collects the user’s credentials and group information and provides it to the XTM device. • The XTM device then creates the authentication session for the user. • When the user logs off, the TO Agent automatically sends the logoff information to the XTM device, and the XTM device closes the user’s authenticated session. WatchGuard Training

  18. Configuration

  19. Policy Manager Default View • The default view in Policy Manager has changed from Large Icons to Details. WatchGuard Training

  20. XTM Configuration Report — Feature Preview • From Fireware XTM Web UI, you can open the XTM device configuration as an HTML page that you can view in your browser or print. • Select System > Configuration File > XTM Configuration Report. The XTM Configuration Report appears in a new browser window. • From the CLI, use the export command with the html option. WatchGuard Training

  21. XTM Configuration Report – Feature Preview • Not all configuration information is included in this report. • It does not include: • FireCluster • Multi-WAN details • Dynamic routing • Wireless • IPv6, secondary networks, MAC access control, PPPoE, DHCP client, DHCP server, and advanced interface settings • Some policy and proxy settings, such as policy-based routing, IPS, Application Control, and notification • Proxy action configuration details WatchGuard Training

  22. Diagnostics

  23. Policy Checker — Feature Preview • Available in Fireware XTM Web UI and the Command Line Interface. • You must specify these parameters in your search: • An interface • A protocol — Ping, TCP, or UDP • Source and destination IP address • Source and destination port — Only applies if you select TCP or UDP as the Protocol • Search results can include any of these details: • Policy type • Policy name • An action • An interface • Source or destination NAT IP address • Source or destination NAT port WatchGuard Training

  24. Policy Checker — Feature Preview • In the Web UI, the applicable policy is highlighted in the Firewall Policies list. • In the CLI, use the new policy-check command. • The interface name is case sensitive. • CLI example: WG>policy-check Trusted ping 10.0.100.2 203.0.113.2 -- --Result of policy check -- Policy name: : Ping-00 Cost: : 126 Type: : Policy Action: : Allowed WatchGuard Training

  25. Download PCAP File from FSM Diagnostic Tasks • From the FSM Traffic Monitor, you can run a Diagnostic Task to download a PCAP file. • From the Diagnostic Tasks dialog box, run a TCP Dump task. When you have collected enough results, click Stop Task. • Click the Save Pcap file button that appears, and specify a location to save the file. • Open the PCAP file in third-party utilities, such as Wireshark, to analyze this file. WatchGuard Training

  26. Proxies and ALGs

  27. New Deny Message for HTTP Proxy Actions • The Default Deny Message in the HTTP proxy action has been changed. WatchGuard Training

  28. More Data Sources for Reputation Enabled Defense • The reputation score for a URL is based on feedback collected from devices around the world. • It has previously used scan results from two leading anti-malware engines (AVG and Kaspersky), based on data collected from XTM and XCS devices. • Reputation Enabled Defense now uses additional data feeds from other leading sources of malware intelligence, such as Phishtank and malwaredomainlist.com, to improve the accuracy of URL reputation scores. WatchGuard Training

  29. SIP-ALG Registration Expiration • In the SIP-ALG proxy action General settings, use the new Registration expires after setting to specify the elapsed time interval before the SIP-ALG rewrites the SIP registration value. • VoIP phones and PBX systems use this value to update their registration. • The default value is 180 seconds (three minutes) and the maximum value is 600 seconds (ten minutes). WatchGuard Training

  30. Networking

  31. Increased Maximum Number of VLANs • The maximum number of VLANs has been increased for most models. • The updated maximum number of VLANs per model are: WatchGuard Training

  32. Wireless Hotspot Splash Screen Uses HTTP • The wireless hotspot splash screen now uses HTTP instead of HTTPS. • This change prevents the certificate warning that appeared to users. • In Fireware XTM v11.5.x and earlier, the URL of the wireless hotspot splash screen was:https://<IP address of the wireless network>:4100/hotspot • In Fireware XTM v11.6, the URL of the wireless hotspot splash screen is:http://<IP address of the wireless network>:4106/hotspot • This change was introduced in Fireware XTM v11.5.3 Update 1 WatchGuard Training

  33. Configurable Dynamic Routing Policies • When you enable a dynamic routing protocol, the required dynamic routing policy (BGP, OSPF, or RIP) is automatically added to the configuration. • In previous versions, the dynamic routing policy was hidden and not editable. • Now, the added policy is not hidden. This enables you to configure static NAT, 1-to-1 NAT, logging, and alarms in your dynamic routing policies. • When you upgrade a device to Fireware XTM v11.6, the hidden dynamic routing policies are removed, and editable policies are automatically created. WatchGuard Training

  34. Configurable Dynamic Routing Policies • Policy Manager asks if you want to add the required policies if: • You enable a dynamic routing protocol and there is no dynamic routing policy. • You save a configuration to the XTM device, and there is no dynamic routing policy for an enabled dynamic routing protocol. • If you click Yes, Policy Manager automatically creates a policy for each enabled dynamic routing protocol that does not have a policy. The automatically created dynamic routing policies are: DR-OSPF-Allow, DR-BGP-Allow, DR-RIP-Allow • If an existing dynamic routing policy exists, but is disabled, Policy Manager enables that existing policy instead of creating a new policy. WatchGuard Training

  35. Configurable Dynamic Routing Policies • Fireware XTM Web UI automatically enables or adds the required policies for enabled dynamic routing protocols when you save a change to the dynamic routing configuration. • Unlike Policy Manager, there is no option to not create the dynamic routing policy. WatchGuard Training

  36. Configurable Dynamic Routing Policies • Other confirmation or informational dialog boxes appear if you: • delete the dynamic routing policy for an enabled dynamic routing protocol • disable the dynamic routing policy for an enabled dynamic routing protocol • disable a dynamic routingprotocol that has an associated dynamic routing policy WatchGuard Training

  37. Branch Office VPN

  38. Inbound IPSec Pass-Through • New global VPN setting — Enable built-in IPSec Policy • The built-in IPSec policy is not new. Only the ability to disable it is new. • The built-in IPSec policy is hidden and is enabled by default. • The built-in IPSec policy, allows incoming IPSec traffic to the XTM device. • The built-in policy enables the XTM device to function as an IPSec VPN endpoint. • Disable the built-in IPSec policy only if you want to add IPSec policies to handle incoming IPSec traffic and direct some or all VPN traffic to another VPN endpoint. WatchGuard Training

  39. Inbound IPSec Pass-Through • If you want an IPSec VPN tunnel to pass through the XTM device and terminate on a VPN gateway behind the XTM device, you must: • In the global VPN settings, clear the Enable built-in IPSec Policy check box. • Add IPSec policies to allow IPSec traffic to the VPN gateway. You can use SNAT or 1-to-1 NAT to route inbound IPSec traffic to a different device. • If you want some tunnels to terminate at the XTM device, add another IPSec policy to allow other IPSec traffic to the XTM device. WatchGuard Training

  40. Improved VPN Phase 2 Key Expiration Settings • The Branch Office VPN Phase 2 Proposal configuration is updated. • Select the Time and Traffic checkboxes to force the gateway endpoints to exchange new keys after a quantity of time or traffic has passed. • You cannot set a Force Key Expiration value to zero. You can only disable it. • If both Force Key Expiration options aredisabled, the key expiration interval isset to 8 hours. • By default, both options are enabled, and the default settings are the same as in previous releases: • 8 hours • 128000 kilobytes WatchGuard Training

  41. Branch Office VPN Diagnostic Report • New VPN Diagnostic Report provides information to help you troubleshoot a branch office VPN. • This appears as a new VPN tab in the Diagnostics Tasks dialog box. • To run the VPN Diagnostic Report from Firebox System Manager: • On the Traffic Monitor tab, right-click and select Diagnostic Tasks.Or, select Tools > Diagnostic Tasks. • Select the VPN tab. • Select a Gateway to test. • Select a Duration to run the test. • Click Start Report. • To run this report from the Fireware XTM Web UI, select System Status > Diagnostic Tasks. WatchGuard Training

  42. Branch Office VPN Diagnostic Report • The diagnostic log level for the selected VPN gateway is temporarily increased for the duration of the diagnostic report. Maximum duration is 60 seconds. • The VPN Diagnostic Report contains these sections: • Gateway Summary — A summary of the gateway configuration, and each configured gateway endpoint • Tunnel Summary — A summary of the tunnel configuration for all tunnels that use the selected gateway • Run-time Info (gateway IKE_SA) — The status of the IKE (Phase 1) security association for the selected gateway • Run-time Info (tunnel IPSEC_SA) — The status of the IPSec tunnel (Phase 2) security association for active tunnels that use the selected gateway • Run-time Info (tunnel IPSec_SP) — The status of the IPSec tunnel (Phase 2) security policy for active tunnels that use the selected gateway • Related Logs — Tunnel negotiation log messages, if a tunnel negotiation occurs during the time period that you run the diagnostic report WatchGuard Training

  43. BOVPN Log Message Header • Branch office VPN log messages now include a header that shows the IP addresses of the local and remote VPN gateway. • The format of the header is: (local_gateway_ip<->remote_gateway_ip) • The header enables you to filter the log messages by the gateway IP address to find the messages related to a VPN gateway. WatchGuard Training

  44. Help System Improvements

  45. Help System Improvements • Help systems are now in HTML5 format and provide improved search functionality. • Searches from major Internet search engines can now find content in our Help. • Search results are presented in a more familiar and useful format, with context. WatchGuard Training

  46. Help System Improvements • Use the new “What’s New in This Release” help topic to quickly navigate to the documentation for the new features in this release. WatchGuard Training

  47. THANK YOU!

More Related